Growing Mistrust of India’s Biometric ID Scheme

In India, a massive effort is underway to collect biometric identity information for each of the country’s 1.2 billion people. The incredible plan, dubbed the “mother of all e-governance projects” by the Economic Times, has stirred controversy in India and beyond, raising serious concerns about the privacy and security of individuals’ personal data.

The plan is moving ahead at a clip under the auspices of the National Population Register (NPR) and the Unique ID (UID) programs, separately governed initiatives that have an agreement to integrate the data they collect to build the world’s largest biometric database. Upon enrollment, individuals are issued 12-digit unique ID numbers on chip-based identity cards. For residents who lack the necessary paperwork to obtain certain kinds of employment or government services, there’s strong incentive to get a unique ID. While the UID program is voluntary, enrollment in the NPR program is mandatory for all citizens.

The NPR program's stated objectives are to streamline the delivery of government services such as welfare or subsidies, prevent identity fraud, and facilitate economic development, but some critics contend that the plan has its roots in an agenda focused on national security. Indian journalist Aman Sethi argues in a New York Times Op-Ed that the NPR originated with a 1992 government campaign to deport undocumented Bangladeshi immigrants, and that the creation of a comprehensive identity database was intended “exclusively to assist law enforcement.” And while UID was originally created to target India’s poorest 200 million citizens to facilitate service delivery, it has since been expanded to cover the country’s entire population.

The UID program is administered by the Unique Identity Authority of India (UIDAI), an executive body created to oversee the issuance of unique ID numbers for the stated purpose of facilitating access to benefits and services. At the helm of UID is Nandan Nilekani, a billionaire who made his fortune in the tech industry before ascending to his current role as chairman of the UIDAI.

While the NPR program has been moving ahead since 2004 with a relatively low level of public opposition, the more recently introduced UID project has sparked controversy. UID took center stage during a political feud last December when Parliament’s Standing Committee on Finance rejected a bill establishing the National Identification Authority of India, which would have granted the UID program statutory mandate. Although the bill was submitted in 2010, the UIDAI had already begun processing individuals and issuing numbers pending Parliamentary approval of the legislation, operating under the authority of the executive branch. The committee rejected the reasoning that they had the authority to do so, calling the program’s legality into question.

In late January, a compromise deal was struck between the NPR and the UID program administrators following a political turf war, when officials announced “the NPR and UID projects would proceed side by side to ensure that all Indian citizens have a unique number by June 2013.” Project administrators from UIDAI and India’s Ministry of Home Affairs, which oversees the Indian Census and the NPR program, announced that they would collaborate to de-duplicate the data to eliminate overlap for integration purposes.

Collecting Biometric Data

To date, some 170 million individuals have been registered in the UID program. To perform the data collection, the UIDAI has executed Memoranda of Understanding (MOU) with partners -- including states, union territories and 25 financial institutions -- to act as registrars for implementing the scheme, according to a Parliamentary committee report.

The registrars, in turn, contract with tech firms such as Wipro, a company that has issued at least 6 million UID numbers in Maharashtra. Agents gather the data by going from village to village to set up processing camps, toting laptops and scanning equipment along with them and scrambling to process as many individuals as possible each day. In addition to demographic information, individuals’ biometric information is collected with iris scanners, fingerprint scanners, and face cameras that employ facial recognition technology. Morpho, a technology company, is a primary UID contractor that develops and maintains systems to crosscheck new applications by sifting through the biometrics database and prevent actual or fraudulent duplication.

The UID program is known as Aadhar, which also refers to the unique 12-digit number citizens are issued upon enrollment. According to recent news reports, a pilot program will link Aadhar with financial and banking services in 50 districts in a move that the UIDAI program director says will “change the financial landscape of the country.”

Nilekani has championed the UID program as a tool that can aid low-income sectors of India’s population by streamlining the delivery of public services and creating a system that is more inclusive to the poor. Yet R. Ramakumar of the Tata Institute of Social Sciences in Mumbai pushes back against this point in an op-ed in The Hindu, charging, “the UID would be an alibi for the state to leave the citizen unmarked in the market for social services.”

And if the interviews with Delhi’s poorest residents in this report is any indication, there’s also a danger that some marginalized individuals could slip through the cracks altogether.

An issue of greater concern, however, is that the biometric database could open the door to significant violations of personal privacy. The Aadhar system became mired in controversy last December surrounding the Parliamentary Standing Committee on Finance’s rejection of legislation that would have given it statutory mandate. In a report, lawmakers based their disapproval on concerns about security, data theft and the fact that that a national data protection law has yet to be enacted.

“The collection of biometric information and its linkage with personal information of individuals without statutory amendment appears to be beyond the scope of subordinate legislation,” committee members wrote.

They also seized on the risk, uncertainty, and potential for privacy violations that would be ushered in under the massive scheme:

“Considering the huge database size and possibility of misuse of information, enactment of a national data protection law, which is at a draft stage, is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate database…The committee is afraid that the scheme may wind up being dependent on private agencies…”

Despite these concerns, the UID program continues, while at the same time, biometric data collection for the NPR moves ahead on a separate track. Mandatory registration for all citizens in the NPR went into effect with the 2004 amendment of the Citizenship Act, providing that “the Central Government may compulsorily register every citizen of India and issue National Identity Card[s].”

Civil Society Responds

The Center for Internet and Society (CIS) has criticized the system due to design flaws that pose security and privacy concerns.

"We don’t need Aadhar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a ‘billions-of-users scale on the Internet with reasonable security,” CIS Director Sunil Abraham noted in a Business Standard op-ed. “The UID project based on the so-called ‘infallibility of biometrics’ is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies.

"Biometrics are poor authentication factors because once they are compromised they cannot be re-secured unlike digital signatures. Additionally, an individual’s biometrics can be harvested remotely without his or her conscious cooperation. The iris can be captured remotely without a person’s knowledge using a high-res digital camera." (For more detailed information on CIS's work on India's UID program, see here, here, here, here, here, and here.

Delhi-based NGOs have also condemned UID as an affront to civil liberties that violates citizens' basic constitutional right to privacy.

In his Op-Ed, Ramakumar echoes Indian economist Amartya Sen in arguing that the system could open the door to abuse by law enforcement:

“There is a related concern: police and security forces, if allowed access to the biometric database, could extensively use it for regular surveillance and investigative purposes, leading to a number of human rights violations. As Amartya Sen has argued elsewhere, forced disclosure and loss of privacy always entailed ‘the social costs of the associated programs of investigation and policing.’ According to him, ‘some of these investigations can be particularly nasty, treating each applicant as a potential criminal.’"

Meanwhile, famed activist Arundhati Roy voiced scathing criticism against India’s biometric collection scheme, saying, “The UID is a corporate scam which funnels billions of dollars into the IT sector. To me, it is one of the most serious transgressions that is on the cards. It is nothing more than an administrative tool in the hands of a police state.”

It is irrationally excessive to collect this sensitive biometric data in a centralized nation-wide ID scheme. The massive collection of biometric information in a centralized ID scheme is not necessary nor proportionate in a democratic society.

EFF has documented (here, here, and here) the function creep risks that this data collection poses to privacy and security, including in those countries with data protection laws like the European Union. Informed analysis of the long-term consequences of the misused and secondary uses of this data collection and its impact in people’s lives should have been given to all citizens before the collection even started. There is still time to ask the Indian government to dismantle that colossal database, like the UK did.

Related Updates

Last month, 360 cyber crime experts from 95 countries gathered in Strasbourg to attend the Octopus Conference. The event sounds like something from James Bond, and when you look at the attendee list—which includes senior figures from the United States Department of Justice, national police forces across the...

When she went to Egypt for vacation, Mona el-Mazbouh surely didn’t expect to end up in prison. But after the 24-year-old Lebanese tourist posted a video in which she complained of sexual harassment—calling Egypt a lowly, dirty country and its citizens “pimps and prostitutes”—el-Mazbouh was arrested at Cairo’s airport and...

Against all the odds, but with the support of nearly a million Europeans, MEPs voted earlier this month to reject the EU's proposed copyright reform—including controversial proposals to create a new "snippet" right for news publishers, and mandatory copyright filters for sites that published user uploaded content. The...

The hope that filled Egypt's Internet after the 2011 January 25 uprising has long since faded away. In recent years, the country's military government has instead created a digital dystopia, pushing once-thriving political and journalism communities into closed spaces or offline, blocking dozens of websites, and arresting a...

As we reported last week, JURI, the key European Parliamentary committee working on copyright reform, voted on June 20th to support compulsory copyright filters for media platforms (Article 13), and to create a new requirement on websites to obtain a license before linking to news stories (...

“YouTube keeps deleting evidence of Syrian chemical weapon attacks” “Azerbaijani faces terrorist propaganda charge in Georgia for anti-Armenian Facebook post” “Medium Just Took Down A Post It Says Doxed ICE Employees” These are just a sampling of recent headlines relating to the regulation of user-generated online content, an increasingly controversial...

Vint Cerf, Tim Berners-Lee, and Dozens of Other Computing Experts Oppose Article 13 As Europe's latest copyright proposal heads to a critical vote on June 20-21, more than 70 Internet and computing luminaries have spoken out against a dangerous provision, Article 13, that would require Internet platforms to automatically...

The pending update to the EU Copyright Directive is coming up for a committee vote on June 20 or 21 and a parliamentary vote either in early July or late September. While the directive fixes some longstanding problems with EU rules, it creates much, much larger ones: problems so big...

Update: On June 5, 2018, authorities extended Abbas' detention for another fifteen days. We will continue to post updates on his plight here.When we wrote of award-winning journalist Wael Abbas being silenced by social media platforms in February, we never suspected that those suspensions would reach beyond the...

Anyone looking at their inbox in the last few months might think that the Internet companies have collectively returned from a term-of-service writers' retreat. Company after company seem to have simultaneously decided that your privacy is tremendously important to them, and collectively beg you take a look at their updated...